The Dumber Android Is, the Better, Say Experts

ZDOne writes "ZDNet UK is reporting that it will not be known until the Android software development kit comes out on Monday whether the Gphone will be strictly Java-based, but security experts claim that the less smart a phone is, the less vulnerable it is. Android developers should stick to a semi-smartphone platform because the Java sandbox can protect against the normal kinds of attacks, experts claim. The article also discusses some of the pros and cons of open vs. closed source security. 'The debate about the relative security merits of open-source as opposed to proprietary software development has been a very long-running one. Open-source software development has the advantage of many pairs of eyes scrutinizing the code, meaning irregularities can be spotted and ironed out, while updates to plug vulnerabilities can be written and pushed out very quickly. However, one of the disadvantages of open-source development is that anyone can scrutinize the source code to find vulnerabilities and write exploits. The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering.'"

No wrong...

[El_Muerte_TDS]

The smarter the user is the more secure the phone is.

perhaps completely unrelated

[BewireNomali]

social scientists have long inferred that dumber people are less likely to fall for hustles/social engineering/hacking/etc., because they lack the imagination to consider alternate realities.

i've been consulting for a new york firm for about 9 months now. i do a lot of traveling, but i'm in the new york home base office at least 4 times a week. i often misplace my card-key - and the receptionist refuses to buzz me in, EVERY TIME. She's always like, "I'm sorry, I don't know who you are." her policy is to never buzz anyone in. She angered the chairman once over it, who was talked out of firing her precisely because he's in the office like 3 times a year. She won't buzz people in and she's unrepentently steadfast about it. She's dumb as dirt.

Simple systems are more likely to be secure than more complex systems in general as they are less prone to component failure.

proprietary security is like creationism

[Ba3r]

There is an overwhelming consensus amongst real security professionals that security is achieved through openness, not obscurity and closed source. Just look at the systems that hyper secure organizations like the NSA advocate. Those who continue to rail against open source systems as being insecure because "hackers can look at the source" (yeah but they can't look at my key) seem as out of touch as creationists.

Android

[hansamurai]

This is the second article about Google Android today already and we never even discussed the original announcement, just what Ballmer and now ZDNet have to say. But I suppose there will be a long line of articles in the future so maybe it won't matter, just seems odd.

Open is better

[dnoyeb]

Thats foolishness. Open source is far and away a more secure platform than "closed" source. One problem with closed source is that no software is truly closed. So you still have a handful of perhaps underpaid folks that get to see the holes just for themselves. Not to mention same folks can add their own holes. And still when holes are found the closed source companies tend to act like they don't exist. And try to write for themselves contracts that prevent them getting in trouble for said holes. There are just too many problems with security in "closed" source software.

Open source does not have any of these problems. Only problem with open source is if you have one person who is significantly smarter than everyone else looking at the code and can come up with an exploit before anyone else notices. This is a more comfortable position to be in as far as I am concerned.

Re:perhaps completely unrelated

[starfishsystems]

Based on the evidence you've supplied, she's not dumb, just principled. It's entirely possible that this organization has a security policy which requires staff to act this way. That would explain why the chairman found that he couldn't just tell her to do it differently.

With that in mind, consider the possibility that you often misplace your security card as your failing. Instead of blaming someone else because they won't fix your life for you, take a little responsibility.

I know, it's a bit of a novel concept at first, but just try it on and see if life gets any better. Likely, it will, because this is one of those aspects of life over which you are actually in control. Or could be.

Wonders of open source

[BlueBoxSW.com]

I like open source projects (mysql and subversion are tops in my book), but I have to take exeption with the notion that open source software is great because thousands of people from around the world are looking at and trying to fix the code. I think this is bull$h!t. Open source code is coded by a small fraction of it's userbase. And each project still has one, or myme two people at the top that approve and integrate each real change. It's not this automated machine. When developing any kind of software, you still need a someone in charge. Any software project needs a way to align the needs of the market with the efforts of the developers. In closed-source software, this is provided by the market. Money. And coordinated by non-coders, who try to find the greatest need in the market and fill it, because there's cash to be made. In open source, there's no such mechanism. Coders with features because they need them for their particular purpose, or because they are cool. As a result, some important features always seem to get overlooked.

Re:Did I miss something?

[DanielJosphXhan]

I think researchers and experts, when they talk about how exploits are found, fundamentally mistake the issues. No-one reads source to find exploits: that's the hard way to go about it. Closed source has only disadvantages in this regard, especially with fewer hands to fix things.

The "many eyes" argument fails as well, though, simply because many eyes do not make for better security. Many hands, on the other... um... hand, make for better response time. Open source code tends to be more agile because it's open.

Embedded systems - feature vs. bug

[cdrguru]

The thing that a lot of people do not understand is that for the most part cell phones are one-time-programmable consumer electronic devices. Once the code is released to manufacturing, that is it. There are no more bugs - just unexpected features.

It matters not who is looking at the code in terms of fixing it. It is not updatable. I suppose it is possible that someone might come up with an updatable phone that was 100% impossible to "brick" but so far I've not see it. The risks do not outweigh the rewards with that and the current "experiment" with the iPhone is not proving to be very satisfying. Yes, they have a distribution technique for software updates through iTunes, but how many phones did they lose with the first update?

Treo has a slightly better record, except they do not have a distribution method. You have to download stuff and jump through all kinds of hoops. Perhaps 1 in 10 people update their Treo. I suspect Blackberry isn't much different from that. Also, it is far, far too easy to utterly destroy a Treo with a bad update.

No, I would not count on updates. Too risky and too little penetration. The end result is bugs that get released are features. And they are there to stay.

Re:Wonders of open source

[cptdondo]

Yabut...

The beauty of open source is that it lets people like me contribute little dribbles here and there. I've probably touched a couple of dozen projects; typically only contributing a single fix or small feature, even something as small as the ability to daemonize hot-babe.

Now by itself that's not much, and in the context of progress it's miniscule, but it adds a tiny feature. Certainly I'm not a cathedral builder, I'm more of the guy who comes in and sweeps up the dust by one door.... But with enough sweepers pretty soon the whole place is clean.

So your argument is predicated on the need for cathedral builders, but there are many, many more sweepers like me who contribute one small thing here and there.

That's what closed source is missing. There's no room for the sweepers; the folks who scratch that one minor itch.

Re:proprietary security is like creationism

[Repossessed]

What you describe is more security through difference than security through obfuscation. The problem with the closed source models is that inevitably, all of the targets are the same as what the attacker has, so the attacker can study his copy, find vulnerabilities, and then exploit them elsewhere. Being different than the standard will protect from this, obfuscating the attackers copy will only slow him down slightly.

Re:Did I miss something?

[Anonymous Coward]

No-one reads source to find exploits

You're joking, right? A while back I was hacked, quickly figured out the vector was an open source application I was running, pulled down the source and found a gaping hole in it within a couple of hours. Of course I don't know for a fact that the entry point was the hole I found, but finding one was enough for me, thankyou. Oh, and FWIW this particular FOSS application is widely used.